| ๐ผ 1 Cryptographic techniques refer to methods used to encrypt data, confirm its authenticity or verify its integrity. The following are examples where APRA-regulated entities could deploy cryptographic techniques given the risks involved: | 4 | | | |
| ย ย ย ย ๐ผ a. transmission and storage of critical and/or sensitive data in an โuntrustedโ environment or where a higher degree of security is required; | | | | |
| ย ย ย ย ๐ผ b. detection of any unauthorised alteration of data; | | | | |
| ย ย ย ย ๐ผ c. verification of the authenticity of transactions or data; | | | | |
| ย ย ย ย ๐ผ d. protection of customer PINs which are typically used for debit/credit cards and online services. | | | | |
| ๐ผ 2 An APRA-regulated entity would typically select cryptographic techniques based on the nature of the activity and the sensitivity and criticality of the data involved. The cryptographic techniques would typically be reviewed on a regular basis to ensure that they remain commensurate with vulnerabilities and threats. | | | | |
| ๐ผ 3 APRA envisages that a regulated entity would select encryption algorithms from the population of well-established and proven international standards that have been subjected to rigorous public scrutiny and verification of effectiveness. The length of a cryptographic key would typically be selected to render a brute force attack9 impractical (i.e. would require an extremely long period of time to breach using current computing capabilities). | | | | |
| ๐ผ 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed. | | 6 | 7 | |
| ๐ผ 5 An APRA-regulated entity would typically deploy, where relevant, controls to limit access to cryptographic keys, including: | 6 | | | |
| ย ย ย ย ๐ผ a. use of physically and logically protected devices and environments to store and generate cryptographic keys, generate PINs and perform encryption and decryption. In most cases this would involve the use of Hardware Security Modules10 (HSMs) or similarly secured devices; | | | | |
| ย ย ย ย ๐ผ b. use of cryptographic techniques to maintain cryptographic key confidentiality; | | | | |
| ย ย ย ย ๐ผ c. segregation of duties, with no single individual having knowledge of the entire cryptographic key (i.e. two-person controls) or having access to all the components making up these keys; | | | | |
| ย ย ย ย ๐ผ d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk; | | 3 | 4 | |
| ย ย ย ย ๐ผ e. clearly defined cryptographic key revocation processes; | | | | |
| ย ย ย ย ๐ผ f. the deployment of detection techniques to identify any instances of cryptographic key substitution. | | | | |